b"   AUDIT OF COMPLIANCE WITH STANDARDS\n\n                GOVERNING\n\nCOMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n NORTH DAKOTA OFFICE OF ATTORNEY GENERAL\n\n             CRIME LABORATORY\n\n         BISMARCK, NORTH DAKOTA\n\n\n\n\n\n          U.S. Department of Justice\n\n        Office of the Inspector General\n\n                 Audit Division\n\n\n\n         Audit Report GR-60-13-005\n\n                 April 2013\n\n\x0c  AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n\n   COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n     NORTH DAKOTA OFFICE OF ATTORNEY GENERAL\n\n                 CRIME LABORATORY\n\n             BISMARCK, NORTH DAKOTA\n\n\n                            EXECUTIVE SUMMARY\n\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the North Dakota Office\nof Attorney General Crime Laboratory (Laboratory) in Bismarck, North\nDakota.\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, contains DNA profiles uploaded by law\nenforcement agencies across the United States and is managed by the FBI.\nNDIS enables the laboratories participating in the CODIS program to\nelectronically compare DNA profiles on a national level. The State DNA\nIndex System (SDIS) is used at the state level to serve as a state\xe2\x80\x99s DNA\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cdatabase and contains DNA profiles from local laboratories and state\noffenders. The Local DNA Index System (LDIS) is used by local laboratories.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from October 2010 through\nNovember 2012. The objectives of our audit were to determine if: (1) the\nNorth Dakota Office of Attorney General Crime Laboratory was in compliance\nwith select NDIS Operational Procedures; (2) the Laboratory was in\ncompliance with certain Quality Assurance Standards (QAS) issued by the\nFBI; and (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were\ncomplete, accurate, and allowable for inclusion in NDIS.\n\n      Our review determined the following:\n\n      \xe2\x80\xa2\t The Laboratory was in compliance with the NDIS operational\n         procedures tested. The Laboratory had sufficient measures to\n         physically and electronically safeguard CODIS; for each CODIS\n         user, all appropriate documents were provided to the FBI, and for\n         the sample of NDIS Match\xe2\x80\x99s we reviewed, the match confirmation\n         process was timely. However, the Laboratory\xe2\x80\x99s written policy on\n         the casework confirmation process was not detailed. The policy\n         was updated during field work and we take no further exception to\n         the policy.\n\n      \xe2\x80\xa2\t The Laboratory was in compliance with the QAS we reviewed,\n         including: (1) completion of periodic external QAS reviews; (2)\n         proper controls to prevent Laboratory access by unauthorized\n         personnel; and (3) adequate procedures to ensure the integrity of\n         evidence and convicted offender samples. We also found the\n         laboratory does not currently outsource the analysis of its forensic\n         DNA samples to another laboratory.\n\n      \xe2\x80\xa2\t We reviewed 100 of the Laboratory\xe2\x80\x99s 549 forensic profiles that have\n         been uploaded to NDIS as of October 11, 2012. Of the 100 forensic\n         profiles sampled, we found that 99 profiles were complete,\n         accurate, and allowable for inclusion in NDIS. One profile was\n         complete and accurate but unallowable for inclusion in NDIS, as the\n         sample was taken from a shoe, which was removed directly from\n         the suspect. The Laboratory deleted the profile prior to our arrival;\n         as a result we take no further exception to the unallowable profile.\n\n      The results of our audit are discussed in detail in the Findings section\nof the report; we make no recommendations to the FBI. Our audit\n\n\n                                       ii\n\x0cobjectives, scope, and methodology are detailed in Appendix I of the report\nand the audit criteria are detailed in Appendix II.\n\n      We discussed the results of our audit with Laboratory officials and\nhave included their comments in the report as applicable.\n\n\n\n\n                                      iii\n\x0c                                TABLE OF CONTENTS\n\n\n\nINTRODUCTION ................................................................................ 1\n\n   Background .....................................................................................1\n\n   OIG Audit Objectives ........................................................................1\n\n   Legal Foundation for CODIS...............................................................2\n\n   CODIS Structure ..............................................................................2\n\n   Laboratory Information .....................................................................6\n\n\nFINDINGS......................................................................................... 7\n\n   I. Compliance with NDIS Operational Procedures.................................7\n\n   II. Compliance with Quality Assurance Standards ................................9\n\n   III. Suitability of Forensic DNA Profiles in CODIS Databases................ 12\n\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 14\n\n\nAPPENDIX II: AUDIT CRITERIA ...................................................... 16\n\n   NDIS Operational Procedures ........................................................... 16\n\n   Quality Assurance Standards ........................................................... 16\n\n   Office of the Inspector General Standards ......................................... 18\n\n\nAPPENDIX III: FBI RESPONSE TO THE DRAFT REPORT .................. 19\n\n\x0c  AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n\n   COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n     NORTH DAKOTA OFFICE OF ATTORNEY GENERAL\n\n                 CRIME LABORATORY\n\n             BISMARCK, NORTH DAKOTA\n\n\n                                 INTRODUCTION\n\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the North Dakota Office\nof Attorney General Crime Laboratory (Laboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS provides an\ninvestigative tool to federal, state, and local crime laboratories in the United\nStates using forensic science and computer technology. The CODIS program\nallows these laboratories to compare and match DNA profiles electronically,\nthereby assisting law enforcement in solving crimes and identifying missing\nor unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS and is\nresponsible for its use in fostering the exchange and comparison of forensic\nDNA evidence.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from October 2010 to\nNovember 2012. The objectives of our audit were to determine if: (1) the\nNorth Dakota Office of Attorney General Crime Laboratory was in compliance\nwith select National DNA Index System (NDIS) Operational Procedures; (2)\nthe Laboratory was in compliance with certain Quality Assurance Standards\n(QAS) issued by the FBI; and (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS. Appendix I contains a detailed description of our audit objectives,\nscope, and methodology; and Appendix II contains the criteria used to\nconduct the audit.\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cLegal Foundation for CODIS\n\n      The FBI\xe2\x80\x99s CODIS program began as a pilot project in 1990. The DNA\nIdentification Act of 1994 (Act) authorized the FBI to establish a national\nindex of DNA profiles for law enforcement purposes. The Act, along with\nsubsequent amendments, has been codified in a federal statute (Statute)\nproviding the legal authority to establish and maintain NDIS. 2\n\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n       The Statute requires that NDIS only include DNA information that is\nbased on analyses performed by or on behalf of a criminal justice\nagency \xe2\x80\x93 or the U.S. Department of Defense \xe2\x80\x93 in accordance with QAS\nissued by the FBI. The DNA information in the index is authorized to be\ndisclosed only: (1) to criminal justice agencies for law enforcement\nidentification purposes; (2) in judicial proceedings, if otherwise admissible\npursuant to applicable statutes or rules; (3) for criminal defense purposes,\nto a defendant who shall have access to samples and analyses performed in\nconnection with the case in which the defendant is charged; or (4) if\npersonally identifiable information (PII) is removed for a population statistics\ndatabase, for identification research and protocol development purposes, or\nfor quality control purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS, managed by the FBI as the nation\xe2\x80\x99s DNA database\n\n      2\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n                                        2\n\n\x0ccontaining DNA profiles uploaded by participating states; (2) the State DNA\nIndex System (SDIS) which serves as a state\xe2\x80\x99s DNA database containing\nDNA profiles from local laboratories within the state and state offenders; and\n(3) the Local DNA Index System (LDIS), used by local laboratories. DNA\nprofiles originate at the local level and then flow upward to the state and, if\nallowable, national level. For example, the local laboratory in the Palm\nBeach County, Florida, Sheriff\xe2\x80\x99s Office sends its profiles to the state\nlaboratory in Tallahassee, which then uploads the profiles to NDIS. Each\nstate participating in CODIS has one designated SDIS laboratory. The SDIS\nlaboratory maintains its own database and is responsible for overseeing\nNDIS issues for all CODIS-participating laboratories within the state. The\ngraphic below illustrates how the system hierarchy works.\n\n                 Example of System Hierarchy within CODIS\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\n\nNational DNA Index System\n\n       NDIS, the highest level in the CODIS hierarchy, enables laboratories\nparticipating in the CODIS program to electronically compare DNA profiles on\na national level. NDIS does not contain names or other PII about the\nprofiles. Therefore, matches are resolved through a system of\n\n\n                                                  3\n\n\x0claboratory-to-laboratory contacts. NDIS contains the following eight\nsearchable indices:\n\n       \xe2\x80\xa2\t   Convicted Offender Index contains profiles generated from persons\n            convicted of qualifying offenses. 3\n\n       \xe2\x80\xa2\t   Arrestee Index is comprised of profiles developed from persons who\n            have been arrested, indicted, or charged in an information with a\n            crime.\n\n       \xe2\x80\xa2\t   Legal Index consists of profiles that are produced from DNA\n            samples collected from persons under other applicable legal\n            authorities. 4\n\n       \xe2\x80\xa2\t   Detainee Index contains profiles from non-U.S. persons detained\n            under the authority of the United States and required by law to\n            provide a DNA sample for analysis and entry into NDIS.\n\n       \xe2\x80\xa2\t   Forensic Index profiles originate from, and are associated with,\n            evidence found at crime scenes.\n\n       \xe2\x80\xa2\t   Missing Person Index contains known DNA profiles of missing\n            persons and deduced missing persons.\n\n       \xe2\x80\xa2\t   Unidentified Human (Remains) Index holds profiles from\n            unidentified living individuals and the remains of unidentified\n            deceased individuals. 5\n\n       \xe2\x80\xa2\t   Relatives of Missing Person Index is comprised of DNA profiles\n            generated from the biological relatives of individuals reported\n            missing.\n\n      Given these multiple databases, the main functions of CODIS are to:\n(1) generate investigative leads that may help in solving crimes and\n(2) identify missing and unidentified persons.\n\n\n\n       3\n          The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d refers to local, state, or federal crimes that\nrequire a person to provide a DNA sample in accordance with applicable laws.\n       4\n         An example of a Legal Index profile is one from a person found not guilty by\nreason of insanity who is required by the relevant state law to provide a DNA sample.\n       5\n           An example of an Unidentified Human (Remains) Index profile from a living person\nis a profile from a child or other individual, who cannot or refuses to identify themselves.\n\n                                               4\n\n\x0c       The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\nConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\nalso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n       In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. For\ninstance, those persons may be identified through matches between the\nprofiles in the Missing Person Index and the Unidentified Human (Remains)\nIndex. In addition, the profiles within the Missing Person and Unidentified\nHuman (Remains) Indices may be vetted against the Forensic, Convicted\nOffender, Arrestee, Detainee, and Legal Indices to provide investigators with\nleads in solving missing and unidentified person cases.\n\nState and Local DNA Index Systems\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n       CODIS becomes more useful as the quantity of DNA profiles in the\nsystem increases because the potential for additional leads rises. However,\nthe utility of CODIS relies upon the completeness, accuracy, and quality of\nprofiles that laboratories upload to the system. Incomplete CODIS profiles\nare those for which the required number of core loci were not tested or do\n\n                                       5\n\n\x0cnot contain all of the DNA information that resulted from a DNA analysis and\nmay not be searched at NDIS. 6 The probability of a false match among DNA\nprofiles is reduced as the completeness of a profile increases. Inaccurate\nprofiles, which contain incorrect DNA information or an incorrect specimen\nnumber, may generate false positive leads, false negative comparisons, or\nlead to the misidentification of a sample. Further, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\nviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\nis adhering to the NDIS operational procedures and the profiles uploaded to\nCODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n     The Laboratory is the only CODIS laboratory in the state of North\nDakota and they serve 150 agencies and a population of 720,000. The\nLaboratory is American Society of Crime Laboratory Directors Laboratory\nAccreditation Board (ASCLD/LAB) International certified, which was just\nrenewed in October 2012.\n\n     The Laboratory signed the FBI Memorandum of Understanding on\nJanuary 27, 1999, and began processing criminal case evidence late in\n2000; their first upload to NDIS was on December 19, 2000. The Laboratory\nhas not outsourced the analysis of samples within the last 2 years.\n\n      The Laboratory started receiving offender samples on October 27,\n1999, and began uploading the offender specimens on October 9, 2003. The\nLaboratory has an arrestee database, which it began on August 1, 2009, and\nit does not have a Legal Index database.\n\n\n\n\n      6\n          A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n                                               6\n\n\x0c                               FINDINGS\n\n     I.\t Compliance with NDIS Operational Procedures\n\n        The Laboratory was in compliance with the NDIS\n        participation requirements regarding sufficient\n        measures to physically and electronically safeguard\n        CODIS, all required personnel have successfully\n        completed the annual training, and for each CODIS\n        user, the appropriate documents were provided to the\n        FBI. However, the Laboratory\xe2\x80\x99s case work match\n        criteria was not detailed. The Laboratory\xe2\x80\x99s written\n        policies were revised and we take no exception to the\n        updated match policies. We make no recommendation\n        to the FBI regarding the Laboratory\xe2\x80\x99s compliance with\n        the NDIS procedures.\n\n      The NDIS operational procedures, which include the NDIS Laboratories\nOperational Procedures, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nNDIS Operational Procedures provide detailed instructions for laboratories to\nfollow when performing certain procedures pertinent to NDIS. The NDIS\noperational procedures we reviewed are listed in Appendix II of this report.\n\nResults of the OIG Audit\n\n       We found that the Laboratory complied with the NDIS operational\nprocedures we reviewed. Specifically, we found the Laboratory had\nsufficient measures to physically and electronically safeguard CODIS;\nadequate policies and procedures for expungement of DNA records, and the\nNDIS procedures were available and accessible to the CODIS users. These\nresults are described in more detail below.\n\n  \xe2\x80\xa2\t The NDIS Security Requirements state that the NDIS participating\n     Laboratory shall be responsible for providing adequate physical\n     security of the CODIS servers and terminals against any unauthorized\n     personnel gaining access to the computer equipment or to any of the\n     stored data. We found that the CODIS workstations were located in a\n     secure section inside the Laboratory building. The workstations were\n     password protected, each CODIS user had a unique user name and\n     password, and the system automatically logged users off after 10\n     minutes of inactivity. The CODIS server was located in a separate\n     room inside the secure laboratory building.\n\n\n                                      7\n\n\x0c  \xe2\x80\xa2\t CODIS users are required to complete annual DNA Records Acceptance\n     training. The FBI provided a list to us of Laboratory personnel who\n     had received this mandatory annual training, which we compared to a\n     list provided by the Laboratory. We found that all authorized\n     personnel have successfully completed the annual training.\n\n  \xe2\x80\xa2\t For each CODIS user, the FBI requires that a participating laboratory\n     submit fingerprint cards, background information, CODIS user\n     information, and Privacy Act explanation to the FBI. We verified that\n     all necessary documents were provided to the FBI for all CODIS users\n     at the Laboratory.\n\n  \xe2\x80\xa2\t The NDIS Operational Procedures defines the procedure for NDIS\n     participating laboratories to follow when confirming matches that are\n     identified in NDIS. In addition, these procedures require that the\n     CODIS Administrator must review and make best efforts to disposition\n     matches within 30 business days. We selected a judgmental sample of\n     five NDIS matches and reviewed available documentation and\n     determine the Laboratory confirmed the matches in a timely manner.\n\n     We did note that the Laboratory\xe2\x80\x99s written casework match criteria was\n     not detailed, it was simply listed as a responsibility of the CODIS\n     Technical Manager. After mentioning this to the CODIS Administrator,\n     the Laboratory\xe2\x80\x99s written policies were appropriately revised. As a\n     result, we take no exception to the Laboratory\xe2\x80\x99s updated match\n     policies.\n\nConclusion\n\n       We found that the Laboratory was in compliance with the NDIS\nparticipation requirements that we reviewed, the Laboratory provided\nadequate physical security of the CODIS servers and terminals, all required\npersonnel had successfully completed the annual training, all necessary\ndocuments were provided to the FBI for all CODIS users at the Laboratory,\nand the judgmentally selected sample of five NDIS matches were confirmed\nin a timely manner.\n\nWe made no recommendations concerning our review of the NDIS\nOperational Procedures.\n\n\n\n\n                                     8\n\n\x0c   II. Compliance with Quality Assurance Standards\n\n           We found that the Laboratory complied with the Quality\n           Assurance Standards (QAS) we tested. Specifically, we\n           found that the Laboratory: (1) underwent Quality\n           Assurance Standard reviews within designated\n           timeframes, (2) had policies in place to help ensure\n           laboratory access was limited to authorized personnel,\n           and (3) had adequate procedures to ensure the\n           integrity of evidence and convicted offender samples.\n           We make no recommendations to the FBI regarding the\n           Laboratory\xe2\x80\x99s compliance with the QAS.\n\n      During our audit, we considered the Forensic and Offender QAS issued\nby the FBI. 7 These standards describe the quality assurance requirements\nthat the Laboratory must follow to ensure the quality and integrity of the\ndata it produces. We also assessed the two most recent QAS reviews that\nthe laboratory underwent. 8 The QAS we reviewed are listed in Appendix II.\n\nResults of the OIG Audit\n\n      We found that the Laboratory complied with the Forensic and Offender\nQAS tested. Specifically, we found the Laboratory underwent Quality\nAssurance Standard reviews, had policies in place to help ensure Laboratory\naccess was limited to authorized personnel, and had adequate procedures to\nensure the integrity of evidence and convicted offender samples. These\nresults are described in more detail below.\n\n   \xe2\x80\xa2\t The QAS requires laboratories to undergo an annual review, including\n      an external review every 2 years. The Laboratory had external quality\n      assurance reviews conducted in August 2011 and March 2012. The\n      frequency of these reviews met the QAS requirements.\n\n\n\n       7\n         Forensic Quality Assurance Standards refer to the Quality Assurance Standards for\nForensic DNA Testing Laboratories, effective September 1, 2011.\n       8\n          The QAS require that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n                                             9\n\n\x0c\xe2\x80\xa2\t We reviewed the Laboratory\xe2\x80\x99s prior 2 years of QAS review reports.\n   Both the August 2011 and March 2012 reviews were conducted using\n   the FBI\xe2\x80\x99s QAS Review Document and the FBI confirmed that QAS\n   reviewers who conducted these reviews completed the FBI QAS\n   Review training course.\n\n\xe2\x80\xa2\t We toured the laboratory and observed that access to the Laboratory\n   is controlled and limited to prevent access by unauthorized personnel.\n   Specifically, the Laboratory has one entrance to the Laboratory for\n   employees and the public. After entering the one entrance, employees\n   swipe their key cards to further access the building while visitors ring a\n   bell for assistance. Law enforcement personnel dropping off evidence\n   go to the evidence drop window. There were security cameras on the\n   exterior of the building and a building security system, which is set\n   after hours. The system includes motion detectors inside the building.\n   We found no deficiencies in the external security at the Laboratory, it\n   is in compliance with the QAS requirements we tested.\n\n\xe2\x80\xa2\t While touring the Laboratory, we also observed the procedures used\n   by the Laboratory to ensure the integrity of physical evidence and\n   convicted offender samples. Evidence chain of custody is tracked in\n   the Laboratory\xe2\x80\x99s Information Management system (LIMS). Evidence is\n   received and entered into LIMS, which generates a bar code number\n   and sticker. Prior to processing, evidence is stored in the evidence\n   storage room, which has shelves, locked refrigerators, and locked\n   freezers. After evidence is analyzed the DNA packets are placed in the\n   evidence vault, which also has dry storage, locked refrigerators and\n   locked freezers. Laboratory staff have scan-card access to the storage\n   room and vault.\n\n   Convicted Offender samples are entered into the Laboratory\xe2\x80\x99s DNA\n   databank system which generates a barcode number and sticker.\n   Prior to processing, the Convicted Offender samples are stored on\n   shelves in the evidence receiving room and after processing they are\n   stored in the evidence vault. Laboratory staff have scan-card access\n   to the evidence receiving room and the evidence vault. Overall, we\n   found no significant deficiencies in the security of evidence and\n   offender samples, we found it to be in compliance with the QAS\n   requirements we tested.\n\n\xe2\x80\xa2\t The QAS requires amplified DNA to be generated, processed, and\n   maintained in a room separate from the sample accessioning, evidence\n   examination, DNA extraction, and PCR setup areas. We observed that\n   the Laboratory has a separate amplification room. After examination,\n\n                                   10\n\n\x0c     extraction, and PCR set up are complete, the analyst places the\n     evidence in a small metal pass-through-door to the amplification room.\n     Based upon our observations, we did not identify any material\n     deficiencies with regard to the Laboratory performing various DNA\n     analysis processes in separate times and spaces.\n\n  \xe2\x80\xa2\t We learned that the Laboratory does not currently outsource the\n     analysis of its forensic DNA samples to another laboratory and has not\n     done so in the past 2 years.\n\n  \xe2\x80\xa2\t The QAS requires that an external quality assurance review be\n     forwarded to the FBI\xe2\x80\x99s NDIS Custodian within 30 days of the\n     participating laboratory\xe2\x80\x99s receipt of the report. We reviewed the\n     submission of the most recent external reviews and found that the\n     reports were submitted to the FBI\xe2\x80\x99s NDIS Custodian in a timely\n     manner.\n\nConclusion\n\n      We found that the Laboratory complied with the FBI\xe2\x80\x99s Forensic QAS\nthat we tested. Specifically, we found that the Laboratory: (1) underwent\nQuality Assurance Standard reviews within the last 2 years; (2) controlled\nand limited Laboratory access to authorized personnel; and (3) had\nadequate procedures to ensure the integrity of evidence and convicted\noffender samples. We made no recommendations concerning our review of\nQuality Assurance Standards.\n\n\n\n\n                                    11\n\n\x0c     III. Suitability of Forensic DNA Profiles in CODIS Databases\n\n         We found 99 of the 100 profiles we reviewed to be\n         complete, accurate, and allowable for inclusion in\n         NDIS. One profile was complete and accurate but,\n         unallowable for inclusion in NDIS, as it came from a\n         shoe removed directly from a suspect. The Laboratory\n         removed the unallowable profile from NDIS prior to the\n         start of our field work. As a result, we take no further\n         exception to the profile and make no recommendation\n         to the FBI.\n\n       We reviewed a sample of the Laboratory\xe2\x80\x99s Forensic DNA profiles to\ndetermine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS. To test the completeness and accuracy of each profile, we\nestablished standards that require a profile include all the loci for which the\nanalyst obtained results, and that the values at each locus match those\nidentified during analysis. Our standards are described in more detail in\nAppendix II of this report.\n\n       The FBI\xe2\x80\x99s NDIS operational procedures establish the DNA data\nacceptance standards by which laboratories must abide. The FBI also\ndeveloped a flowchart as guidance for the laboratories for determining what\nis allowable in the forensic index at NDIS. Laboratories are prohibited from\nuploading forensic profiles to NDIS that clearly match the DNA profile of the\nvictim or another known person that is not a suspect. A profile at NDIS that\nmatches a suspect may be allowable if the contributor is unknown at the\ntime of collection, however, NDIS guidelines prohibit profiles that match a\nsuspect if that profile could reasonably have been expected to be on an item\nat the crime scene or part of the crime scene independent of the crime. For\ninstance, a profile from an item seized from the suspect\xe2\x80\x99s person, such as a\nshirt, or that was in the possession of the suspect when collected is\ngenerally not a forensic unknown and would not be allowable for upload to\nNDIS. The NDIS procedures we reviewed are listed in Appendix II of this\nreport.\n\nResults of the OIG Audit\n\n       We selected a sample of 100 profiles out of the 549 forensic profiles\nthe Laboratory had uploaded to NDIS as of October 11, 2012. Of the 100\nforensic profiles sampled, we found that 1 was unallowable for upload to\nNDIS. The remaining profiles sampled were complete, accurate, and\nallowable for inclusion in NDIS. The specific exception is explained in more\ndetail below.\n\n                                      12\n\n\x0cProfile Allowability\n\n       As part of our review, we examined each of the 100 forensic profiles in\nour sample to determine if the profile was, complete, accurate, and\nallowable based on NDIS guidelines. Specifically, our review examined each\nprofile in the sample to determine its suitability based on NDIS guidelines\nsuch as: (1) whether a crime was committed; (2) whether the profile was\nobtained from the crime scene; and; (3) whether the profile was attributable\nto a putative perpetrator.\n\n       OIG Sample Number ND-13 was complete and accurate but not\nallowable; the sample was taken from a shoe removed directly from the\nsuspect. When we brought this to the CODIS Administrators attention we\nwere informed that the Laboratory removed the profile from NDIS prior to\nthe start of field work. As a result, we take no further exception to the\nprofile and make no recommendation to the FBI. According to the CODIS\nAdministrator, the Laboratory also deleted OIG Sample Number ND-35 prior\nto our arrival because the case had been solved and the profile uploaded did\nnot belong to the person who committed the homicide.\n\nConclusion\n\n      We found 99 of the 100 profiles we reviewed to be complete, accurate,\nand allowable for inclusion in NDIS. One profile was unallowable, as it came\nfrom a shoe removed directly from a suspect. The Laboratory removed the\nunallowable profile from NDIS prior to the start of field work. As a result, we\nmade no recommendations concerning our review of Forensic DNA profiles.\n\n\n\n\n                                      13\n\n\x0c                                                               APPENDIX I\n\n           OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n      Our audit generally covered the period from October 2010, through\nNovember 2012. The objectives of the audit were to determine if the: (1)\nLaboratory was in compliance with select National DNA Index System (NDIS)\nOperational Procedures; (2) Laboratory was in compliance with certain\nQuality Assurance Standards (QAS) issued by the FBI; and (3) Laboratory\xe2\x80\x99s\nforensic DNA profiles in CODIS databases were complete, accurate, and\nallowable for inclusion in NDIS. To accomplish the objectives of the audit,\nwe:\n\n  \xe2\x80\xa2\t Examined external Laboratory QAS review reports and supporting\n     documentation for corrective action taken, if any, to determine whether:\n     (a) the Laboratory complied with the QAS, (b) repeat findings were\n     identified, and (c) recommendations were adequately resolved.\n\n     In accordance with the QAS, the internal and external laboratory review\n     procedures are to address, at a minimum, a laboratory\xe2\x80\x99s quality\n     assurance program, organization and management, personnel\n     qualifications, facilities, evidence control, validation of methods and\n     procedures, analytical procedures, calibration and maintenance of\n     instruments and equipment, proficiency testing of analysts, corrective\n     action for discrepancies and errors, review of case files, reports, safety,\n     and previous audits. The QAS require that internal and external reviews\n     be performed by personnel who have successfully completed the FBI\xe2\x80\x99s\n     training course for conducting such reviews. We obtained evidence from\n     the FBI concerning the qualifications of the internal and external\n     reviewers.\n\n  \xe2\x80\xa2\t Interviewed Laboratory officials to identify management controls,\n     Laboratory operational policies and procedures, Laboratory certifications\n     or accreditations, and analytical information related to DNA profiles.\n\n\n                                      14\n\n\x0c  \xe2\x80\xa2\t Toured the Laboratory to observe facility security measures as well as\n     the procedures and controls related to the receipt, processing,\n     analyzing, and storage of forensic evidence and convicted offender DNA\n     samples.\n\n  \xe2\x80\xa2\t Reviewed the Laboratory\xe2\x80\x99s written policies and procedures related to\n     expunging DNA profiles from NDIS and resolving matches among DNA\n     profiles in NDIS.\n\n  \xe2\x80\xa2\t Reviewed supporting documentation for 5 of 39 NDIS matches to\n     determine whether they were resolved in a timely manner. The\n     Laboratory provided the universe of NDIS matches as of November 5,\n     2012. The sample was judgmentally selected to include both\n     case-to-case and case-to-offender matches. This non-statistical sample\n     does not allow projection of the test results to all matches.\n\n  \xe2\x80\xa2\t Reviewed the case files for selected forensic DNA profiles to determine if\n     the profiles were complete, accurate, and allowable for inclusion in\n     NDIS.\n\n     We obtained an electronic file identifying the specimen identification\n     numbers of 549 searchable forensic profiles the Laboratory had\n     uploaded to NDIS between October 1, 2007 and October 11, 2012. We\n     limited our review to a sample of 100 profiles. This sample size was\n     determined judgmentally because preliminary audit work determined\n     that risk was not unacceptably high. (At A.1.PRG, step 1 it was\n     determined that the Laboratory was accredited, and therefore had met\n     minimum criteria for accreditation)\n\n     Using the judgmentally-determined sample size, we employed a\n     stratified sample design to randomly select a representative sample of\n     profiles in our universe. However, since the sample size was\n     judgmentally determined, the results obtained from testing this limited\n     sample of profiles may not be projected to the universe of profiles from\n     which the sample was selected.\n\n      The objectives of our audit concerned the Laboratory's compliance with\nrequired standards and the related internal controls. Accordingly, we did not\nattach a separate statement on compliance with laws and regulations or a\nstatement on internal controls to this report. See Appendix II for detailed\ninformation on our audit criteria.\n\n\n\n                                     15\n\n\x0c                                                                       APPENDIX II\n\n                                AUDIT CRITERIA\n\n      In conducting our audit, we considered the NDIS Operational\nProcedures, QAS, and guidance issued by the FBI regarding forensic profile\nallowability in NDIS. 9 However, we did not test for compliance with\nelements that were not applicable to the Laboratory. In addition, we\nestablished standards to test the completeness and accuracy of DNA profiles\nas well as the timely notification of DNA profile matches to law enforcement.\n\nNDIS Operational Procedures\n\n       The NDIS Operational Procedures, which include the NDIS operational\nprocedures, establish the responsibilities and obligations of laboratories that\nparticipate in NDIS. We focused our audit on specific sections of the\nfollowing NDIS requirements:\n\n   \xe2\x80\xa2   NDIS Laboratories Procedure\n   \xe2\x80\xa2   Quality Assurance Standards Audit Procedure\n   \xe2\x80\xa2   NDIS Confirmation and Hit Dispositioning Procedure\n   \xe2\x80\xa2   NDIS DNA Records Procedure\n   \xe2\x80\xa2   DNA Data Acceptance Standards\n   \xe2\x80\xa2   NDIS Searches Procedure\n   \xe2\x80\xa2   NDIS Security Requirements Procedure\n\nQuality Assurance Standards\n\n      The FBI issued two sets of QAS: (1) QAS for Forensic DNA Testing\nLaboratories, effective September 1, 2011 (Forensic QAS); and (2) QAS for\nDNA Databasing Laboratories, effective September 1, 2011 (Offender QAS).\nThe Forensic QAS and the Offender QAS describe the quality assurance\nrequirements that the Laboratory should follow to ensure the quality and\nintegrity of the data it produces.\n\n      For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\n\n       9\n         The FBI Flowchart is guidance issued to NDIS-participating laboratories separate\nfrom the NDIS operational procedures. The flowchart is contained in the 2010 CODIS\nAdministrator\xe2\x80\x99s Handbook and has been provided to laboratories in forums such as CODIS\nconferences.\n\n                                            16\n\n\x0clisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n   \xe2\x80\xa2\t Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n      have a facility that is designed to ensure the integrity of the analyses\n      and the evidence.\n\n   \xe2\x80\xa2\t Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n      follow a documented evidence control system to ensure the integrity of\n      physical evidence. Where possible, the laboratory shall retain or return\n      a portion of the evidence sample or extract.\n\n   \xe2\x80\xa2\t Sample Control (Offender QAS 7.1): The laboratory shall have and\n      follow a documented sample inventory control system to ensure the\n      integrity of the database and known samples.\n\n   \xe2\x80\xa2\t Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n      laboratory shall monitor the analytical procedures using [appropriate]\n      controls and standards.\n\n   \xe2\x80\xa2\t Review (Forensic QAS 12.1): The laboratory shall conduct\n      administrative and technical reviews of all case files and reports to\n      ensure conclusions and supporting data are reasonable and within the\n      constraints of scientific knowledge.\n\n      (Offender QAS Standard 12.1): The laboratory shall have and follow\n      written procedures for reviewing DNA records and DNA database\n      information, including the resolution of database matches.\n\n   \xe2\x80\xa2\t [Reviews] (Forensic QAS and Offender QAS 15.1 and 15.2): The\n      laboratory shall be audited annually in accordance with [the QAS]. The\n      annual audits shall occur every calendar year and shall be at least 6\n      months and no more than 18 months apart. At least once every 2\n      years, an external audit shall be conducted by an audit team comprised\n      of qualified auditors from a second agency(ies) and having at least one\n      team member who is or has been previously qualified in the laboratory\xe2\x80\x99s\n      current DNA technologies and platform.\n\n   \xe2\x80\xa2\t Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A vendor\n      laboratory performing forensic and database DNA analysis shall comply\n      with these Standards and the accreditation requirements of federal law.\n\n      Forensic QAS 17.4: An NDIS participating laboratory shall have and\n      follow a procedure to verify the integrity of the DNA data received\n\n                                      17\n\n\x0c     through the performance of the technical review of DNA data from a\n     vendor laboratory.\n\n     Offender QAS Standard 17.4: An NDIS participating laboratory shall\n     have, follow and document appropriate quality assurance procedures to\n     verify the integrity of the data received from the vendor laboratory\n     including, but not limited to, the following: Random reanalysis of\n     database, known or casework reference samples; Inclusion of QC\n     samples; Performance of an on-site visit by an NDIS participating\n     laboratory or multi-laboratory system outsourcing DNA sample(s) to a\n     vendor laboratory or accepting ownership of DNA data from a vendor\n     laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n  \xe2\x80\xa2\t Completeness of DNA Profiles: A profile must include each value\n     returned at each locus for which the analyst obtained results. Our\n     rationale for this standard is that the probability of a false match\n     among DNA profiles is reduced as the number of loci included in a\n     profile increases. A false match would require the unnecessary use of\n     laboratory resources to refute the match.\n\n\n  \xe2\x80\xa2\t Accuracy of DNA Profiles: The values at each locus of a profile must\n     match those identified during analysis. Our rationale for this standard\n     is that inaccurate profiles may: (1) preclude DNA profiles from being\n     matched and, therefore, the potential to link convicted offenders to a\n     crime or to link previously unrelated crimes to each other may be lost;\n     or (2) result in a false match that would require the unnecessary use\n     of laboratory resources to refute the match.\n\n\n  \xe2\x80\xa2\t Timely Notification of Law Enforcement When DNA Profile Matches\n     Occur in NDIS: Laboratories should notify law enforcement personnel\n     of NDIS matches within 2 weeks of the match confirmation date,\n     unless there are extenuating circumstances. Our rationale for this\n     standard is that untimely notification of law enforcement personnel\n     may result in the suspected perpetrator committing additional, and\n     possibly more egregious, crimes if the individual is not deceased or\n     already incarcerated for the commission of other crimes.\n\n                                    18\n\n\x0c                                                                                        APPENDIX III\n\n        FBI RESPONSE TO THE DRAFT REPORT\n\n\n\n                                                             U.S. Depa rlmcnt of J uslice\n\n                                                             Federal Bureau of Investigation\n\n\n\n\n                                                             April 9. 2013\n\nDavid M. Shccrcn. Regional Audit Manager\nDenver Regional Audit Office\nOffice of the Inspector General\n1120 Lincoln, Suitc 1500\nDenver, CO 80203\n\n\nDear Mr. Sheeren:\n               Your memorandum to Director Mueller forwarding the draft audit report for the\nNorth Dakota Office of Attorney General Crime Laboratory, Bismarck, North Dakota\n(Laboratory), has been referred to me for responsc.\n                Your draft report contained no recommendations relating to the Laboratory's\ncompliance with the FBI's Memorandum of Understanding and Qua{jtyA.5~\xc2\xb7urance Standards/or\nDNA Testing Labomtories and DNA Da/abasing lnbomtaries. Thc COOlS Unit reviewed the\ndraft report and since it appears that the Laboratory is in compliance with NDIS participation\nrequirements, Ihe COOlS Unit has no Significant comments to provide about the draft report.\n                Thank you (or sharing the draft audit report with us. If you have any questions,\nplease (eel free 10 comact 1cnnifer C. Wendel , Chief o( the COOlS Unit, at (703) 632-8315.\n\n                                                    Sincerely,\n\n\n                                                      ~~~~(tL~\n                                                      Section Chief\n                                                      Biometrics Analysis Section\n                                                      FBI Laboratory\n\n\n\n\n                                                19\n\n\x0c"